Your message dated Thu, 04 Dec 2014 13:34:25 +0000
with message-id <[email protected]>
and subject line Bug#771987: fixed in gnupg 1.4.18-5
has caused the Debian Bug report #771987,
regarding gnupg: several gnupg failures (infinite loop, NULL deref,
out-of-bounds read, printing failure) on bad input
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
771987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771987
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg
Version: 1.4.12-7+deb7u6
Severity: important
Tags: patch upstream
GnuPG upstream has fixed several minor failures on bad input recently,
but the fixes haven't made it into a released version of the 1.4.x
branch.
Those errors are:
https://bugs.g10code.com/gnupg/issue1713 - endless loop on bad input
to mpi_invm
https://bugs.g10code.com/gnupg/issue1761 - canceled passphrase entry
can cause a NULL dereference
off-by-one read in the UAT parser (see upstream commit
0988764397f99db4efef1eabcdb8072d6159af76)
Possible printing of unprintable data when listing signature
subpackets (see upsteam commit
596ae9f5433ca3b0e01f7acbe06fd2e424c42ae8)
I'm attaching patches for all these issues, pulled from upstream git's
STABLE-BRANCH-1-4.
--dkg
-- System Information:
Debian Release: 7.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gnupg depends on:
ii dpkg 1.16.15
ii gpgv 1.4.12-7+deb7u6
ii install-info 4.13a.dfsg.1-10
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38+deb7u6
ii libreadline6 6.2+dfsg-0.1
ii libusb-0.1-4 2:0.1.12-20+nmu1
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages gnupg recommends:
pn gnupg-curl <none>
ii libldap-2.4-2 2.4.31-1+nmu2
Versions of packages gnupg suggests:
pn gnupg-doc <none>
pn libpcsclite1 <none>
pn xloadimage | imagemagick | eog <none>
-- no debconf information
>From cd53cdbc3774fb193bdebcdc5d7019ddebc16dbc Mon Sep 17 00:00:00 2001
From: Werner Koch <[email protected]>
Date: Thu, 11 Sep 2014 17:06:16 +0200
Subject: [PATCH 07/20] mpi: Improve mpi_invm to detect bad input.
* mpi/mpi-inv.c (mpi_invm): Return 0 for bad input.
--
Without this patch the function may enter an endless loop. This is a
backport from libgcrypt.
GnuPG-bug-id: 1713
---
mpi/mpi-inv.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/mpi/mpi-inv.c b/mpi/mpi-inv.c
index b762630..361c57e 100644
--- a/mpi/mpi-inv.c
+++ b/mpi/mpi-inv.c
@@ -165,6 +165,11 @@ mpi_invm( MPI x, MPI a, MPI n )
int sign;
int odd ;
+ if (!mpi_cmp_ui (a, 0))
+ return 0; /* Inverse does not exists. */
+ if (!mpi_cmp_ui (n, 1))
+ return 0; /* Inverse does not exists. */
+
u = mpi_copy(a);
v = mpi_copy(n);
--
2.1.3
>From 69767ccf4218d0dc5ef2d7e141be0f14c88fea59 Mon Sep 17 00:00:00 2001
From: Werner Koch <[email protected]>
Date: Mon, 24 Nov 2014 19:32:47 +0100
Subject: [PATCH 16/20] gpg: Fix a NULL-deref for invalid input data.
* g10/mainproc.c (proc_encrypted): Take care of canceled passpharse
entry.
--
GnuPG-bug-id: 1761
Signed-off-by: Werner Koch <[email protected]>
(backported from commit 32e85668b82f6fbcb824eea9548970804fb41d9e)
---
g10/mainproc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/g10/mainproc.c b/g10/mainproc.c
index d355a21..15baefe 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -540,7 +540,9 @@ proc_encrypted( CTX c, PACKET *pkt )
result = -1;
else if( !c->dek && !c->last_was_session_key ) {
int algo;
- STRING2KEY s2kbuf, *s2k = NULL;
+ STRING2KEY s2kbuf;
+ STRING2KEY *s2k = NULL;
+ int canceled;
if(opt.override_session_key)
{
@@ -580,9 +582,13 @@ proc_encrypted( CTX c, PACKET *pkt )
log_info (_("assuming %s encrypted data\n"), "IDEA");
}
- c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 0, NULL, NULL );
+ c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 0, NULL,&canceled);
if (c->dek)
c->dek->algo_info_printed = 1;
+ else if (canceled)
+ result = G10ERR_CANCELED;
+ else
+ result = G10ERR_PASSPHRASE;
}
}
else if( !c->dek )
--
2.1.3
>From 2b4809406b6536cbb67a2282bf855710b8454dc2 Mon Sep 17 00:00:00 2001
From: Werner Koch <[email protected]>
Date: Mon, 24 Nov 2014 19:38:04 +0100
Subject: [PATCH 17/20] gpg: Fix off-by-one read in the attribute subpacket
parser.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <[email protected]>
(backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)
---
g10/parse-packet.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index dcda8ef..db1702f 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -2026,6 +2026,14 @@ parse_attribute_subpkts(PKT_user_id *uid)
if( buflen < n )
goto too_short;
+ if (!n)
+ {
+ /* Too short to encode the subpacket type. */
+ if (opt.verbose)
+ log_info ("attribute subpacket too short\n");
+ break;
+ }
+
attribs=xrealloc(attribs,(count+1)*sizeof(struct user_attribute));
memset(&attribs[count],0,sizeof(struct user_attribute));
--
2.1.3
>From 2d359681f08999686734421228cb69893d8a0060 Mon Sep 17 00:00:00 2001
From: Werner Koch <[email protected]>
Date: Mon, 24 Nov 2014 19:41:46 +0100
Subject: [PATCH 18/20] gpg: Fix use of uninit.value in listing sig subpkts.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* g10/parse-packet.c (dump_sig_subpkt): Print regex subpacket
sanitized.
--
We may not use "%s" to print an arbitrary buffer. At least "%.*s"
should have been used. However, it is in general preferable to escape
control characters while printf user data.
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <[email protected]>
(backported from commit 596ae9f5433ca3b0e01f7acbe06fd2e424c42ae8)
---
g10/parse-packet.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index db1702f..01600e4 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -892,13 +892,18 @@ dump_sig_subpkt( int hashed, int type, int critical,
if(length!=2)
p="[invalid trust subpacket]";
else
- fprintf (listfp, "trust signature of depth %d, value %d",buffer[0],buffer[1]);
+ fprintf (listfp, "trust signature of depth %d, value %d",
+ buffer[0],buffer[1]);
break;
case SIGSUBPKT_REGEXP:
if(!length)
p="[invalid regexp subpacket]";
else
- fprintf (listfp, "regular expression: \"%s\"",buffer);
+ {
+ fprintf (listfp, "regular expression: \"");
+ print_string (listfp, buffer, length, '\"');
+ p = "\"";
+ }
break;
case SIGSUBPKT_REVOCABLE:
if( length )
--
2.1.3
--- End Message ---
--- Begin Message ---
Source: gnupg
Source-Version: 1.4.18-5
We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Dec 2014 01:11:22 -0500
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all
Version: 1.4.18-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG-Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Description:
gnupg - GNU privacy guard - a free PGP replacement
gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
gpgv - GNU privacy guard - signature verification tool
gpgv-udeb - minimal signature verification tool (udeb)
gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 739424 769571 770726 770816 771987 771992
Changes:
gnupg (1.4.18-5) unstable; urgency=medium
.
[ Daniel Kahn Gillmor ]
* move to debhelper 9
* add build and runtime support for larger RSA keys (Closes: #739424)
* fix runtime errors on bad input (Closes: #771987)
* deprecate insecure one-argument variant for gpg --verify of detached
signatures (Closes: #771992)
* sync documentation with upstream.
* Standards-Version: bump to 3.9.6 (no changes needed).
.
[ David Prévot ]
* Update POT and PO files, and ensure the translations get rebuild
* Update French translation (Closes: #769571)
* Update Danish Translation, thanks to Joe Hansen
* Update Ukrainian translation, thanks to Yuri Chornoivan
* Update Russian translation, thanks to Ineiev
* Update Chinese (traditional) translation, thanks to Jedi Lin
* Update Italian translation, thanks to Milo Casagrande
* Update Polish translation, thanks to Jakub Bogusz
* Update Spanish translation, thanks to Manuel "Venturi" Porras Peralta
(Closes: #770726)
* Update Dutch translation, thanks to Frans Spiesschaert (Closes: #770816)
* Update Czech translation, thanks to Roman Pavlik
Checksums-Sha1:
41a9fd7f9c30bb97582d7f6b1ab028e4b38c348b 2524 gnupg_1.4.18-5.dsc
b9e5651e776362a739492d9345377de08d7a4126 284648 gnupg_1.4.18-5.debian.tar.xz
8e5848126372e79772d9afde7728cd074c952ba8 552008 gpgv-win32_1.4.18-5_all.deb
Checksums-Sha256:
5ab7026ff164056a93e86a0f8164275d9f29da6f5f60ccb83fc4d031872e59a9 2524
gnupg_1.4.18-5.dsc
c55360262ce04658969f5d663cb94d71065271409b5a971c5bbecf4fc80b8a90 284648
gnupg_1.4.18-5.debian.tar.xz
b6a874de7cb3e9f65dfdc921dbd05650bee3f25963d570f8f756361f64d398b9 552008
gpgv-win32_1.4.18-5_all.deb
Files:
6dba01226c6ece788ebc988d75af1116 2524 utils important gnupg_1.4.18-5.dsc
b08dc3fa3e26d9da61b9272cd2881f0a 284648 utils important
gnupg_1.4.18-5.debian.tar.xz
d319d4c08e3644d0a83de9f36b6e481b 552008 utils extra gpgv-win32_1.4.18-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUgGDoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB
NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpc4G0QAJm6eEzIMDhwvpAs+TsNYFhB
4J3ydkgg9cdG937fq08ahybTGSA16KsZX3fC5wS7DpXE9gnSoRcj606qmpVyag21
O58GigUHvuP1RgeICmFw3jkCNW8WYyTVc2m5AqWswFVbayp2mr3kV6THBZDec3CC
7J+h2k/VChRWBzXkteRuQ5SXy0w27asWxqxvIdXl+VSrXJpa3yUKFtb946xtsPYA
u5BMSCILsyd/4yYmbpSXFBmPCJj6usP+f86oLQ+4DoZRFM/WTt+rcNiVwbF4GPY+
eJfRHj5oBV33BDQedq2A8cRSsyqOwFQWaQzKtIYkjN902oDII/cJHHWCDvuZSLnQ
gWot0Ayh5oGYYhvdO7sr72eosgiy/3yLI/ac1l6Y1AomWSRp2XG1uPdC3u7BlGO3
E0G0xqDQc/IIxDhO3axAkDjUkkRbNfltL18Fp88l6j/FDykpAsGQ9y0Seq2GGYA/
M1ntH2e7bs3Lo1uy12TEpl6d1KKOsvk5l+ACk3AOBOHhY+R3Tc6AFXsjaWeaOrWs
zKfXcUUuAF/5ZGKIgIJ2xdlHWnAP+jGrf3W85ZKWCLi2tsqFNzLMVHrryiwTgf2p
abdsFgfElZ7tggWggXDsFpoRVmUvvM+XR1ZZRbuiN0jWSMdhieU7DgKgP4oysHdZ
tOelwtesH3JuP3vu/XgQ
=a3OL
-----END PGP SIGNATURE-----
--- End Message ---
